Innovation Law Insights

Event

DLA Piper AI Academy arrives in Milan

Following on from events in London, Paris and Luxembourg, DLA Piper has launched its AI Academy in Milan.
The first in-person session will take place on 12 November 2025 at our Milan office, offering exclusive insights on the legal, technical and ethical aspects of AI.

The programme is designed for professionals managing AI governance and risks, combining practical guidance, case studies, and networking in a small group setting.

Early-bird fee: EUR1,900 + VAT (includes one full-day session and three follow-up webinars).

For details or registration, contact Silvia Molignani.

 

Data Protection and Cybersecurity

The CSIRT Contact Person: A new role in the NIS2 framework

With Determination No. 333017, the Italian National Cybersecurity Agency (ACN) has introduced a new figure in the regulatory framework of NIS2: the CSIRT Contact Person (CSIRT Contact Person).

Although this figure isn't expressly provided for by the NIS2 Directive or by Legislative Decree No. 138 of 4 September 2024 (NIS2 Decree), all entities that fall under the scope of the NIS2 Decree and are registered on the ACN portal have to appoint a contact person. They then have to notify ACN of the appointment through the portal by 31 December 2025.

Who is the CSIRT Contact Person and what are their duties?

According to Article 7 of the Determination, the CSIRT Contact Person is an individual designated by the organisation’s Point of Contact, with the following duties:

• liaising with CSIRT Italia, the national authority responsible for the operational management of cybersecurity incidents;
• submitting significant incident notifications pursuant to Articles 25 and 26 of the NIS2 Decree.

The CSIRT Contact Person is a technical and specialized role. They’re responsible for managing the operational aspects of NIS2 compliance relating to the notification of significant incidents. Specifically, the CSIRT Contact Person is entrusted with submitting notifications and maintaining communication with CSIRT Italia, whether during the post-notification phase (eg in response to requests for clarification or additional information) or as part of broader communication with the CSIRT.

The role is complementary to that of the Point of Contact, who retains general responsibility for communicating with ACN and for implementing the provisions of the NIS2 Decree. In contrast, the CSIRT Contact Person focuses exclusively on operational and technical aspects related to incident management and notification, without any involvement in other compliance obligations under the NIS2 Decree.

Who can be appointed?

Under Article 7 of the Determination, the CSIRT Contact Person must be an individual who has:

• basic knowledge of cybersecurity and incident management; and
• in-depth knowledge of the organisation’s information systems and networks.

Unlike the Point of Contact – who doesn’t have to have technical expertise – the CSIRT Contact Person must meet specific technical and knowledge-based requirements.

Two main interpretative issues arise regarding this role.

The first concerns the level of competence required to be appointed. The Determination refers to “basic” cybersecurity skills, suggesting that while a highly specialised profile isn’t mandatory, the role cannot be assigned to individuals without any training or experience in cybersecurity. Given the critical nature of the function and the sensitivity of the issues involved, it’s advisable to entrust the role to a properly trained and experienced professional capable of managing the responsibilities effectively.

The second issue concerns whether the CSIRT Contact Person can be external to the organisation. The Determination doesn’t specify whether the person must be an employee of the company or may be an external consultant. In the absence of explicit prohibitions, it’s reasonable to assume that an external consultant or collaborator may be appointed, provided that the person:

• has an in-depth understanding of the organisation’s IT systems; and
• can demonstrate genuine familiarity and operational capability with those systems.

If the role is entrusted to an external cybersecurity service provider, it’s essential that the provider already has a thorough knowledge of the organisation’s infrastructure. The appointment cannot be assigned “from scratch” to a third party with no prior familiarity with the company’s IT environment.

Substitute CSIRT Contact Person

The Determination also provides for the possibility to designate one or more substitutes, to ensure operational continuity and timely communication if the main contact is unavailable.

Given the unpredictability of cyber incidents, it’s strongly recommended to appoint multiple CSIRT Contact Persons, organising work shifts and leave periods to ensure that at least one contact person is always available.

Next steps

The introduction of the CSIRT Contact Person represents an additional organisational component within the NIS2 compliance framework, complementing the role of the Point of Contact.

Organisations must now:

• carefully assess who to assign the role to, ensuring that the designated person meets the technical competence requirements set out in the Determination;
• formally appoint the CSIRT Contact Person, defining their functions and integrating the role into the company’s cybersecurity governance structure;
• ensure continuous availability of the designated person, which is essential for proper incident notification and response.

Starting from 20 November, it will be possible to create the CSIRT Contact Person’s user account directly through the ACN portal. This operation must be carried out by the Point of Contact, who will be responsible for entering the required information and creating the account.

Conclusion

The introduction of the CSIRT Contact Person marks an important step toward a more structured and responsive cybersecurity governance under the NIS2 framework.

Organisations should view this not merely as a regulatory requirement but as an opportunity to enhance their incident response capabilities and strengthen the overall resilience of their information systems.

Author: Federico Toscani

 

Intellectual Property

The new Italian AI law and the crime of deepfake distribution

The Italian AI law, definitively approved on 17 September 2025, and effective from 10 October 2025, introduces a new criminal offense aimed at sanctioning the publication and distribution of deepfakes.

Deepfakes: Definition and risks

According to the AI Act, a “deepfake” is “an image or audio/video content generated or manipulated by AI that resembles existing people, objects, places, entities, or events and would appear falsely authentic or truthful to a person.”

The social and criminal relevance of deepfakes comes from multiple factors. From a technical perspective, it’s increasingly difficult – if not impossible – to distinguish a real image from one generated artificially. Contextual factors also contribute: deepfakes are often used to create so-called deep nudes, sexually explicit images in which AI artificially removes a person’s clothing without their consent.

Pornographic deepfakes first appeared online around 2018, particularly on Reddit, and have since been removed from many platforms. Initially, they mostly targeted celebrities, but their use has become increasingly widespread over time.

From a regulatory perspective, the AI Act requires AI system deployers to disclose when audiovisual content is artificially generated or manipulated. The new Italian law focuses on those who disseminate such content, sanctioning its publication without consent.

The new crime of unlawful AI content distribution

The AI law introduces, under Article 612-quater of the Italian Penal Code, the offense of “Illicit distribution of content generated or altered with artificial intelligence systems.”

The provision penalises the publication, transfer and dissemination of “images, videos or voices falsified or altered using AI systems and capable of misleading regarding their authenticity” when such sharing causes unjust damage to the offended person, and the content is distributed without their consent.

The offense is punishable by imprisonment from one to five years and is generally prosecutable upon complaint by the offended party, except when

• the act is connected to another offense requiring ex officio prosecution;
• it’s committed against a person incapable due to age or infirmity; or
• it involves a public authority in relation to the functions exercised; in such cases, prosecution occurs ex officio.

Responsibilities and practical consequences

The deepfake phenomenon intersects multiple areas of law.

The dissemination of manipulated content may simultaneously constitute a violation of image and privacy rights, a defamatory act, and, under the conditions mentioned, the new criminal offense under Article 612-quater.

Victims often suffer serious and long-lasting economic and reputational damage, linked to the loss of control over their digital identity.

At the same time, practical consequences are (and will increasingly be) significant for companies and online platforms, which have to implement stricter monitoring and reporting systems, for example under the Digital Services Act.

Conclusion

While the new offense represents a step forward in protecting victims, it raises several interpretative and practical questions. Criminal liability requires that the dissemination has actually caused “unjust damage,” leaving out cases where the harm is only potential. And it remains to be seen how courts will interpret the requirement that images be “capable of misleading regarding their authenticity.”

The new criminalisation is an important step toward adapting criminal law to the era of AI, but it’s only one of the tools needed to address the complex phenomenon of deepfakes.

It’s essential that authorities, technology companies, and law enforcement collaborate to develop technical, regulatory, and ethical solutions capable of preventing abuse and ensuring effective protection of individuals’ rights.

Author: Lara Mastrangelo

 

Gaming and Gambling

VoP mismatches in online gambling: What operators need to know

Verification of Payee (VoP) mismatches in online gambling may block payments under the EU Instant Payments Regulation. Here’s how operators can comply and prevent risks.

From 9 October 2025, the EU Instant Payments Regulation (Regulation 2024/886) requires all payment service providers to use the VoP system. This means that before any transfer goes ahead – including gaming deposits and payouts – the beneficiary’s name and IBAN must be verified as matching the actual account holder.

For the gambling industry, this introduces a new operational challenge: the issue of VoP mismatches in online gambling. Even a small discrepancy, such as a missing middle name or typo, can delay or block a payment. For remote gaming operators, these mismatches aren’t only technical hurdles but also compliance and reputational risks that must be managed carefully.

Understanding VoP mismatches in online gambling

A VoP mismatch occurs when a payment provider detects that the name and IBAN entered by the payer don’t exactly match the beneficiary details held by the bank.

Under the Instant Payments Regulation (IPR), all payment service providers (PSPs) – including banks, payment institutions, and e-money institutions – must perform this check for both instant and standard transfers.

How this affects gambling operators

• Blocked payouts: Transfers to players might be delayed or rejected.
• Increased disputes: Players might contest transactions or claim unpaid winnings.
• Operational stress: Manual checks and follow-ups slow down payment processing.
• Liability questions: If an operator authorises a transfer after a VoP alert, it may share responsibility for potential losses.

In short, VoP mismatches in online gambling require operators to adapt both their technical systems and internal procedures to remain compliant and efficient.

AML and KYC risks behind VoP mismatches

While the VoP rule focuses on fraud prevention, it also intersects with Anti-Money Laundering (AML) and Know-Your-Customer (KYC) obligations.

Regulators consider payouts to third-party accounts or mismatched beneficiaries as anomaly indicators that may signal identity misuse or money-laundering attempts.

Best practices to align AML and VoP controls

• Use one-to-one payout rules: Winnings should only go to accounts owned by the same verified player.
• Document exceptions: If a transfer to another account is permitted, the operator must verify the relationship and ensure no red flags exist.
• Monitor continuously: Detecting repeated mismatches can help identify account takeovers or proxy use.
• Review VoP alerts jointly: Compliance and payments teams should analyse mismatches together to determine whether they’re operational or suspicious.

Ignoring VoP mismatches in online gambling can lead to AML violations, contractual disputes, and reputational damage – particularly in high-risk jurisdictions.

Preparing for the Instant Payments Regulation

Although the technical implementation of VoP is a duty of PSPs, online gambling operators have to ensure their systems and compliance frameworks are aligned with the new regime.

Action steps for operators

• Integrate VoP alerts into payout systems to flag discrepancies automatically.
• Update contracts with PSPs to clarify roles and liabilities for mismatched transactions.
• Verify player data accuracy at registration and during periodic KYC reviews.
• Test internal workflows through simulations before the October 2025 deadline.
• Train operational teams to understand the difference between benign mismatches and suspicious activity.

By doing so, operators can reduce the operational impact of VoP mismatches in online gambling while strengthening their compliance posture.

Turning compliance into competitive advantage

The implementation of the VoP system shouldn’t be viewed merely as a regulatory burden. Handled strategically, it can enhance payment transparency, reduce fraud and build player trust.

Operators who proactively address VoP mismatches in online gambling will stand out for their reliability and commitment to safeguarding players’ funds. In an industry increasingly defined by trust and compliance, early adaptation will translate into smoother operations and stronger reputations.

Conclusion

The Instant Payments Regulation reshapes how payments are verified across Europe. For the gambling sector, VoP mismatches in online gambling are an unavoidable challenge – but also an opportunity to refine AML controls and modernise internal systems.

By coordinating with PSPs, improving data accuracy and training staff to manage verification alerts, remote gaming operators can ensure compliance, maintain seamless payouts and reinforce player confidence.

Author: Vincenzo Giuffrè

 

---

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Noemi Canova, Gabriele Cattaneo, Giovanni Chieco, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Giulio Napolitano, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo, Tommaso Ricci, Rebecca Rossi, Dorina Simaku, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer,” the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.